H2023034615 Response Redacted.pdf

133 Molesworth Street
PO Box 5013
Wellington 6140
New Zealand
T+64 4 496 2000
23 February 2024
M Bell
By email:  [FYI request #25290 email]
Ref:
H2023034615
Tēnā koe M Bell
Response to your request for official information
Thank you for your request under the Official Information Act 1982 (the Act) to the Ministry of
Health - Manatū Hauora (the Ministry) on 23 December 2023 for information regarding the
COVID-19 vaccination data breach at Health New Zealand – Te Whatu Ora. You requested:
“…all internal communications between the members of the executive leadership team for
MoH including meeting minutes, instant messages etc that discuss the response /
damage control in relation to the ongoing analysis of the leaked vaccination data
indicating very significant safety signals for death.”
On 11 January 2024, you clarified your request to be relating to information specifically held by
the Ministry’s Executive Governance Team (previously the Executive Leadership Team).
A former Health New Zealand employee inappropriately released information outside the
organisation that contained private health information. As the monitoring agency for Health New
Zealand, the Ministry of Health was informed by senior leaders of Health New Zealand on the
unauthorised data breach.
As legal matters relating the incident are ongoing, the Ministry has consulted with Health New
Zealand to ensure that their interests were considered in this response.
The Ministry has identified seven documents within scope of your request. Al  documents are
itemised in Appendix 1, and copies of the documents are enclosed. Where information is
withheld under section 9 of the Act, I have considered the countervailing public interest in
releasing the information and consider that it does not outweigh the need to withhold at this
time.
Some information has also been withheld under section 6 of the Act. Specifically, it is necessary
to withhold some information pursuant to section 6(c) of the Act, where disclosure would
prejudice the maintenance of the law. Given the sensitivity of this matter, it is important that the
integrity of the investigation process is preserved.
Further, some information is also being withheld pursuant to section 6(d) of the Act, to maintain
public safety. As signalled above, investigation into this matter is ongoing. The release of some
information would likely endanger the safety of individuals. It is therefore necessary to protect
the individuals or groups involved is mitigated by not releasing information prematurely. This

includes revealing specific information that may enable or encourage harm to the public or risk
of emergencies and undue panic.
Once the investigation concludes and all pertinent information is gathered, Health New
Zealand will consider the release of further information regarding the findings and any
subsequent actions taken in response to the incident.
A large amount of the information contained in this response has been provided to the Ministry
by Health New Zealand. The Ministry is not a party to any legal proceedings or actions taken
resulting from the breach. You may be interested to know that Health New Zealand also
provides regular updates on the data breach on their website:
www.tewhatuora.govt.nz/our-health-system/data-and-statistics/data-breaches/unauthorised-
data-breach-update/.
I trust this information fulfils your request. If you wish to discuss any aspect of your request
with us, including this decision, please feel free to contact the OIA Services Team on:
[email address].
Under section 28(3) of the Act, you have the right to ask the Ombudsman to review any
decisions made under this request. The Ombudsman may be contacted by email at:
[email address] or by calling 0800 802 602.
Please note that this response, with your personal details removed, may be published on the
Manatū Hauora website at: www.health.govt.nz/about-ministry/information-releases/responses-
official-information-act-requests.
Nāku noa, nā
Dr Andrew Old
Deputy Director-General
Public Health Agency | Te Pou Hauora Tūmatanui
Page 2 of 3

Document 1
From:
Andrew Old
Sent:
Friday, 1 December 2023 3:48 pm
To:
Diana Sarfati
Cc:
Lisa McPhail
Subject:
Out of scope ]: SitRep - Data Breach
Attachments:
2023.12.01 1500 Sitrep - Data breach.docx
FYI
Dr. Andrew Old (he/him)
Deputy Director-General
Public Health Agency | Te Pou Hauora Tūmatanui
+64 4 466 5542 | [email address]
ACT 1982
From: Emily Richards <[email address]>
Sent: Friday, 1 December 2023 3:26 pm
To: Margie Apa <[email address]>; Andrew Slater <Andrew [email address]>; Fiona McCarthy
<[email address]>; Sue Gordon <[email address]>; Catherine Delore
<[email address]>; Peter Alsop <[email address]>; Nick Chamberlain
<[email address]>; Andrew Old <[email address]>; Michael Dr
INFORMATION  eyer
<[email address]>; Justin Rawiri-Ext <[email address]>; Matt Carey
<[email address]>; Martin Hefford <[email address]>; Sonny Taite
<[email address]>; Kelly Mitchell <[email address]>; Danya Levy
<[email address]>
Subject: SitRep - Data Breach
Kia ora koutou
Ahead of the meeting at 4.30pm, please see attached SitRep which has just been sent over to the Minister’s office.
Ngā mihi nui
Emily Richards
Head of the Office of the Chief People Officer
People & Communications
waea pūkoro: S9(2)(a)
  | īmēra: [email address]
RELEASED UNDER THE OFFICIAL
69 Tory Street, Wellington|  PO Box 793, Wellington 6140
Te Whatu Ora – Health New Zealand
TeWhatuOra.govt.nz
1

Document 1A
Situation Report #1
Data Breach
Confidential and not for further distribution
Date:  1 December 2023
Time:  3.00pm
Event Name:  Data Breach
Prepared by:
Incident Control er/SRO:  Sue Gordon
Contact Details:  S9(2)(a)
Background
This Situation Report (SitRep) provides an update on our response to an employee using and commenting
ACT 1982
on data publicly, including an email to a wide range of MPs. The employee has also made public a video
with Liz Gunn. The employee is alleging that COVID vaccinations have been responsible for a large number
of deaths; the assertions are not correct and have no scientific validity.
We are closely monitoring this situation and will keep in close contact with the Minister’s Office throughout
the weekend. An update wil  also be provided in our officials meeting on Monday at 9.00am.  We are
running this as an incident management response.  There are a number of workstreams currently
underway.
INFORMATION
Workstreams
Function
Update
Next steps
Communications  Public: Our proactive media statement, released on Friday  Margie Apa will be
at 2.00pm, is attached and provides information on our
appearing on One News
response to, and management of, the incident.  Margie
and RNZ Checkpoint
Apa is the overal  spokesperson and wil  be supported by
today. The media team
Andrew Old for public health messaging.  We will
will field media queries
continue to provide support and liaison to the Minister’s
over the weekend and
Office as required
will keep the Minister’s
Office informed.

Internal: We have met with the employee’s team to
We are not intending
advise them of the situation at a high level, and offered
any further internal
appropriate support.
communications at this
stage
RELEASED UNDER THE OFFICIAL
Employment
Once aware of the event (being the email to MPs), the
S6(c)
matters
employee was locked out of his work email and out of
work information systems and databases.
S9(2)(a)

  Document 1A
Information
We have sought and expect to receive late Friday an
Once the injunction is
security
injunction against use and/or sharing of the information
granted, we will enforce
(and returning all information, materials and equipment)
it as appropriate
from the Employment Relations Authority. This covers the
employee and also includes a wider prohibition on use
and sharing of the information by other parties (such as

media outlets). This now provides a basis to legally

enforce the injunction if information is used or shared.

The Cyber IMT was activated in support of this event.
There are three workstreams of activity:
Detailed analysis of the
o  Email analysis, data transfer analysis, log
employee’s full email
history analysis
records to try
o  Additional specialist forensics skills for a more  identifying any emails
detailed review of activity
sent and potential data
ACT 1982
o  Aotearoa Immunisation Register - additional
extraction
protections are being established in light of

the elevated risk profile
As a precautionary step, a third party vendor has also
been stood down given a close working relationship with
the employee
Privacy
Given peoples’ personal information is involved – both
Our protocols for
INFORMATION
the threat to release information and inappropriate use
managing and
by employee – we have registered this incident as a
responding to privacy
privacy breach with the Office of the Privacy
breaches, including
Commissioner.
related to information
security, will be
followed.
S6(d)
Key stakeholders
Debrief from
engagements at 4.00pm
RELEASED UNDER THE OFFICIAL

Next steps
The next meeting of the Te Whatu Ora | Health New Zealand Incident Management Team is today at
4.30pm.  We will establish a reporting cadence for the weekend and will keep the Minister’s Office
informed.

Document 2
From:
Diana Sarfati
Sent:
Sunday, 3 December 2023 2:01 pm
To:
Simon Medcalf; Andrew Old
Subject:
RE: 2023.12.02 Sitrep - Data Breach
Follow Up Flag:
Follow up
Flag Status:
Flagged
Will do
From: Simon Medcalf <[email address]>
Sent: Sunday, 3 December 2023 12:10 pm
To: Diana Sarfati <[email address]>; Andrew Old <[email address]>
Subject: Re: 2023.12.02 Sitrep - Data Breach
ACT 1982
Thanks Andrew.
Di - it looks like this is in hand, but let me know if you need anything from me today.
S
From: Diana Sarfati <[email address]>
INFORMATION
Sent: Sunday, December 3, 2023 8:47:22 AM
To: Andrew Old <[email address]>; Simon Medcalf <[email address]>
Subject: RE: 2023.12.02 Sitrep - Data Breach
We absolutely should be keeping close eye. I will be meeting with Minister, Margie and Karen at 2pm today. They
are doing an excellent job, and keeping us well up to date so far.
From: Andrew Old <[email address]>
Sent: Saturday, 2 December 2023 5:17 pm
To: Diana Sarfati <[email address]>; Simon Medcalf <[email address]>
Subject: Fw: 2023.12.02 Sitrep - Data Breach
For info. Given the scope and involvement of Minister, Police and DIA, not sure if MoH should have a
more formal monitoring role? I'm happy to stay connected in the meantime and will forward on these
updates.
From: Single Point of Contact <nhcc [email address]>
RELEASED UNDER THE OFFICIAL
Sent: Saturday, 2 December 2023 4:47 pm
To: Andrew Slater <[email address]>; Fiona McCarthy <[email address]>; Sue
Gordon <[email address]>; Catherine Delore <[email address]>; Peter Alsop
<[email address]>; Emily Richards <[email address]>; Margie Apa
<[email address]>; Andrew Old <[email address]>; Michael Dreyer
<[email address]>; Shane Heath - Waitaha <[email address]>; Sue Ramsay
<[email address]>; Kelly Mitchell <[email address]>; Danya Levy
<[email address]>; Martin Hefford <[email address]>; Sonny Taite
<[email address]>; Nick Chamberlain <[email address]>; Catherine
Cooper <[email address]>; Matt Hannant <[email address]>; Matt Hannant
<[email address]>; Toni Atkinson <[email address]>; Aparna Hemapriya - EXT
1

Document 2
<[email address]>
Cc: Single Point of Contact <nhcc [email address]>; Chris Blackford <[email address]>; Tarannum
Shaikh <[email address]>; Justin Rawiri-Ext <[email address]>
Subject: 2023.12.02 Sitrep - Data Breach (Please refer to Document 1A)
Tēnā koe,
Please see latest sitrep regarding the vaccine data breach.
Ngā mihi,
Matt
ACT 1982
Matt Carey, DSD
Manager, Engagement
Emergency Management
INFORMATION
waea: +64 4-974 3545 | waea pūkoro: S9(2)(a)
| īmēra: [email address]
133 Molesworth Street, Pipitea, Wellington 6011
Te Whatu Ora – Health New Zealand
TeWhatuOra.govt.nz
RELEASED UNDER THE OFFICIAL
2

Document 3
From:
Andrew Old
Sent:
Sunday, 3 December 2023 10:39 am
To:
Diana Sarfati
Subject:
Re: Out of scope : DATA BREACH UPDATE
Thanks Di. I'll join the call at 1100, but looks increasingly likely it will remain a Te Whatu Ora
issue. Your 2pm briefing with Margie and Chair noted too.
Cheers, A
From: Diana Sarfati <[email address]>
Sent: Sunday, 3 December 2023 8:45 am
To: Andrew Old <[email address]>
Subject: FW: Out of scope : DATA BREACH UPDATE
ACT 1982
Probably all as you already know, but for completeness
From: Margie Apa <[email address]>
Sent: Saturday, 2 December 2023 6:53 pm
To: Karen Poutasi S9(2)(a)
Amy Adams S9(2)(a)
Vanessa Stoddart
S9(2)(a)
Naomi Ferguson S9(2)(a)
; Jeff Lowe
INFORMATION
S9(2)(a)
; Curtis Walker [MidCentral] <[email address]>; Tipa Mahuta
<[email address]>
Cc: Riana Manuel <[email address]>; Diana Sarfati <[email address]>; Peter Alsop
<[email address]>; Nick Chamberlain <Nick [email address]>; Leigh Donoghue
<[email address]>; Sonny Taite <[email address]>
Subject: Out of scope : DATA BREACH UPDATE
Importance: High
Kia ora Board and colleagues, a quick update on escalation overnight and actions over coming 24-48 hours. 2pm
briefing held with Minister and Chair today and scheduled for tomorrow at 2pm. Likely second public media release
to be confirmed tomorrow pm and co-ordinating with Prime Minister’s office on timing.
Situation Report highlights since last night’s email to you:

All injunctions were granted yesterday after 5pm by ERA (used instead of High Court as an employee matter)
covering use and sharing of data, emailed and being served in person;

Since Liz Gunn’s video post on Thursday, cyber security team have been scanning dark web, internet, social
media for heads up on where data may appear;

Midnight Friday they found a video upload of a webinar at/via MIT in the USA mentioning whistleblower
RELEASED UNDER THE OFFICIAL
release of official NZ data and referred to a weblink to download. The video was uploaded midnight
Friday;

S6(d)


S9(2)(h)
Although website is USA owned and outside our jurisdiction they have taken down data at
1.10pm today.

S9(2)(h)

S9(2)(h)

1

Document 3
S9(2)(h)

  S9(2)(h)


Agencies informed/advised and providing advice:
  Office of Privacy Commissioner (breach lodged Friday)
  DIA cyber security unit (tap into public sector expertise)
  NZ Police, including General Counsel re:urgency
  S9(2)(h)


By tomorrow pm we aim to:
  Have more confidence on the scope of data downloaded and assess risk that individuals/providers can be
identified;
  Have devices from person of interest in our possession for further forensic analysis;
  Know more on how many times data was downloaded from weblink;
  Clarity on whether criminal charges can be laid;
ACT 1982
  Remove all video and content and keep monitoring international situation, and suppress links as they
appear
  Have more understanding of Person of Interest activities over his employment with Manatu Hauora/Te
Whatu Ora
  Monitoring of impact on vaccination confidence in public.

We are checking in with providers again on Monday.

INFORMATION
Please call me if you need more.  Warm r’s M.

RELEASED UNDER THE OFFICIAL
2

Document 4
From:
Diana Sarfati
Sent:
Sunday, 3 December 2023 2:09 pm
To:
Simon Medcalf; Andrew Old
Subject:
FW: Aide Memoire - Data breach - key information for briefing government
colleagues
Attachments:
Aide Memoire - Data breach - key information for briefing government
colleagues.pdf
Follow Up Flag:
Follow up
Flag Status:
Flagged
FYI
From: Peter Alsop <[email address]>
ACT 1982
Sent: Sunday, 3 December 2023 2:04 pm
To: Andrea Harris <[email address]>; charlotte gendall-Ext
<[email address]>; Aparna Hemapriya - EXT <[email address]>
Cc: Karen Poutasi S9(2)(a)
; Margie Apa <Margie.Apa@health govt.nz>; Diana Sarfati
<[email address]>; Catherine Delore <[email address]>; Emily Richards
<[email address]>; Andrew Slater <[email address]>
Subject: RE: Aide Memoire - Data breach - key information for briefing government colleagues
INFORMATION
Please see slightly updated version; small inaccuracy in para 22 has been corrected (important correction to refer to
the nature of the threats)
From: Peter Alsop
Sent: Sunday, 3 December 2023 1:37 pm
To: Andrea Harris <[email address]>; Charlotte Gendall <[email address]>;
Aparna Hemapriya - EXT <[email address]>
Cc: Karen Poutasi S9(2)(a)
Margie Apa <[email address]>; Diana Sarfati
<[email address]>; Catherine Delore <[email address]>; Emily Richards
<[email address]>; Andrew Slater <[email address]>
Subject: Aide Memoire - Data breach - key information for briefing government colleagues
Andrea, Aparna, Charlotte
Pls find a short AM attached.
Margie and others will see the Minister online at 2pm for the next oral briefing.
Pete
RELEASED UNDER THE OFFICIAL
1

Document 4A
Out of scope

Purpose
1. Further to earlier updates provided to you, this is a high-level overview of the situation
which may be useful, at your discretion, for sharing with your government colleagues.
2. This briefing updates you on the unauthorised removal of data from Te Whatu Ora |
Health New Zealand’s administrative databases by a staff member S6(c)
(referred to as Person of Interest or POI).
3. S6(c)
These assertions are
completely wrong and ill-informed.
4. We are extremely disappointed in the actions of the POI and are taking all possible steps
to safeguard the information of people in relation to the unauthorised disclosure and
ACT 1982
misuse of data to spread misinformation by the POI.
5. A further public statement will be made this afternoon as a follow up to our media
release on Friday 1 December.
6. This breach has been notified to the Office of the Privacy Commissioner. We are working
closely with them and other government agencies, including Ministry of Health (including
the Public Health Agency), National Cyber Security Centre, DIA and Police.
INFORMATION
Situation overview
7. On Thursday 30 November, a staff member from our Data & Digital team emailed
officials and Members of Parliament asserting he had information that showed officials
had understated the excess mortality from COVID19 vaccinations. This staff member is
a database administrator S9(2)(a)
8. The POI presented screenshots of information on vaccinating providers on Thursday 30
November in a video interview with Liz Gunn, an online commentator on vaccines.
Details of eleven pharmacies and vaccination providers were shown in the video,
although details of individual vaccinators do not appear to have been released.
9. The video seems to feature data removed or extracted from our databases without
authority. Orders by the Employment Relations Authority have been served to require
that information obtained from this breach is not used publicly or shared (by relevant
individuals and other parties as well).
RELEASED UNDER THE OFFICIAL
10. The POI has no clinical training or knowledge in vaccines. S9(2)(a)
11. S6(c)
2
Out of scope

Document 4A
Out of scope


12. Continuous cyber security scanning is in place across the internet (including the dark
web), social media and other channels to detect data that may appear and is being used
publicly.
How the situation evolved
13. After the initial video was seen domestically, overnight on Friday/Saturday 1/2 December
a video upload of a webinar at MIT in the USA mentioned release of official NZ data.
This webinar referred to a weblink to download from the Wasabi platform which is based
overseas.  The weblink was found to contain data that seems to have been sourced from
New Zealand’s official health databases.

14. Our cybersecurity downloaded data from the website for analysis.  Early analysis shows
information has S9(2)(a)
but no personally identifiable
ACT 1982
information has been detected at this stage.  The team is continuing to analyse the data
with an initial focus on establishing whether any personally identifiable information has
been published.

15. S9(2)(h)

We are seeking information on how many times data was downloaded and
by whom.
INFORMATION

16. Internationally, the data has re-emerged and there are multiple online links related to the
matter. We will continue to pursue take-down orders of data internationally, S9(2)(h)

17.S6(d)
18.
Next steps
19. The response is currently in the first phase of Response and Investigation.  The priority
objectives are to assess whether the data published is likely to lead to identifying
individuals including patients and providers/vaccinators that have delivered
vaccinations,
RELEASED UNDER THE OFFICIAL
S9(2)(a)

20. The focus right now is to:
•  Continue forensic work on the data
•  Enforce take down orders as far as practical (some international sites will not act
or use requests to cast New Zealand in a negative light, so judgments are being
made)

3
Out of scope

Document 4A
Out of scope

•  Proceed with the employment investigation of the POI
•  Clarify the scope of information taken and its potential to identify individuals
and/or providers.
21. There will be a full review once the response phase has been completed to make sure we
take on board any lessons that might be learned.
22. More generally to this incident, we note that there have been bomb threats in recent
weeks (including very recently) to some of our sites and a small number of private
hospitals and primary and community care services. At this time, there is no evidence
that the data breach and threats are linked. Police have been advised of all threats and
they are confident, given the nature of the emails, that any actual threat is considered
low.

ACT 1982

INFORMATION
RELEASED UNDER THE OFFICIAL

4
Out of scope

Document 5
ACT 1982
INFORMATION
RELEASED UNDER THE OFFICIAL